trust Element (ASP.NET Settings Schema)
Configures the level of code access security (CAS) that is applied to an application. Use this element, if you want to run a Web application that has less than Full trust.
<trust level="[Full|High|Medium|Low|Minimal]" originUrl="URL" processRequestInApplicationTrust = "[True|False]" />
The following sections describe attributes, child elements, and parent elements.
Required String attribute.
Specifies the trust level under which the application will run. Each trust level is mapped to an individual XML policy file using a trustLevel element in the configuration file. The policy file lists the set of permissions that are granted by each trust level. For information about ASP.NET and policy files, see .
This attribute can be a user-defined value, if there is a matching security policy mapping defined in a trustLevel element in the element or one of the following possible values, in increasing order of restrictiveness.
The default is Full (no restrictions).
Optional String attribute.
Specifies a URL for use with the restricted WebPermission permission that is configured in Medium trust. If present, this can be used for some classes, such as HttpWebRequest, that allow connectivity to only specific URLs that are specified by a WebPermission. This allows permissions that rely on the notion of a host to function correctly.
Specifies whether page requests are automatically restricted to the permissions that are configured in the trust policy file that is applied to the ASP.NET application.
If set to False, ASP.NET requests can potentially execute under Full trust, even if the level attribute specifies a different trust level. Unless there are specific reasons for doing this, do not reset this attribute from the default of true.
This attribute is new in the .NET Framework version 2.0.
The default is True.
Specifies the required root element in every configuration file that is used by the common language runtime and the .NET Framework applications.
Specifies the root element for the ASP.NET configuration settings in a configuration file and contains configuration elements that configure ASP.NET Web applications and control how the applications behave.
The trust element configures the level of code access security (CAS) that is applied to an application. Security policy files are mapped to trust level names in the securityPolicy collection element. The policy file lists the set of permissions that are granted by the trust level. The trust element specifies which trust level to apply to the ASP.NET application. For information about ASP.NET and policy files, see .
By default, Web applications run with Full trust. Full-trust applications are granted unrestricted code access permissions by code access security policy. These permissions include built-in system and custom permissions. This means that code access security will not prevent your application from accessing any secured resources. The success or failure of the resource access attempt is determined purely by operating system-level security. If an application is configured with a trust level other than Full, it is referred to as a partial-trust application. Partial-trust applications have restricted permissions, which limit access to secured resources for the application.
For improved security in a hosted environment, use the location element in the root Web.config file to enclose securityPolicy and trust elements for hosted applications and the allowOverride="False" attribute to prevent applications from overriding the settings in a more local Web.config file. You can optionally make use of multiple location elements, each with a different path attribute, if you want to configure different trust levels for different hosted applications. For an example of this kind of configuration, see "Example," later in this topic.
Web applications that are built on the .NET Framework version 1.0 always run with Full trust because the types in System.Web demand full-trust callers. When you upgrade to a newer version of the .NET Framework, do not change the trust level without testing any previously existing applications.
The following default trust element is configured in the root Web.config file.
<location allowOverride="true"> <system.web> <securityPolicy> <trustLevel name="Full" policyFile="internal" /> <trustLevel name="High" policyFile="web_hightrust.config" /> <trustLevel name="Medium" policyFile="web_mediumtrust.config" /> <trustLevel name="Low" policyFile="web_lowtrust.config" /> <trustLevel name="Minimal" policyFile="web_minimaltrust.config"/> </securityPolicy> <trust level="Full" originUrl="" processRequestInApplicationTrust="true" /> </system.web> </location>
The following code example demonstrates how to use a root Web.config file to specify Medium trust level settings for all ASP.NET applications on the server and the location element to lock the settings. Another location element in the same configuration file is used to allow the Web.config file for the Default Web Site/Temp application to override the settings in the root Web.config file.
<location allowOverride="false"> <system.web> <securityPolicy> <trustLevel name="Full" policyFile="internal" /> <trustLevel name="High" policyFile="web_hightrust.config" /> <trustLevel name="Medium" policyFile="web_mediumtrust.config" /> <trustLevel name="Low" policyFile="web_lowtrust.config" /> <trustLevel name="Minimal" policyFile="web_minimaltrust.config"/> </securityPolicy> </system.web> </location> <location allowOverride="false"> <system.web> <trust level="Medium" originUrl="" /> </system.web> </location> <location allowOverride="true" path="Default Web Site/Temp"> <system.web> <trust level="Medium" originUrl="" /> </system.web> </location>
Configuration section handler
Microsoft Internet Information Services (IIS) version 5.0, 5.1, or 6.0
The .NET Framework version 1.0, 1.1, or 2.0
Microsoft Visual Studio 2003 or Visual Studio 2005